site2site tunnel issue

Unanswered Question
Jul 22nd, 2009
User Badges:

Hi all, I have a problem with a VPN between a 857 router and ASA 5510. From log I can't understand what's the issue.


Debug:


*Jul 22 10:58:14.895: IPSEC(ipsec_process_proposal): invalid local address 1.1.1.1

*Jul 22 10:58:14.895: ISAKMP:(2003): IPSec policy invalidated proposal with error 8

*Jul 22 10:58:14.895: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)


857 conf:


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxx address 2.2.2.2

crypto isakmp fragmentation

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel 2.2.2.2

set peer 2.2.2.2

set transform-set ESP-3DES-SHA

set pfs group2

match address 100

!


ASA conf:


crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map TELEFIN_LAN_map 1 match address OUTSIDE_1_cryptomap

crypto map TELEFIN_LAN_map 1 set pfs

crypto map TELEFIN_LAN_map 1 set peer 1.1.1.1

crypto map TELEFIN_LAN_map 1 set transform-set ESP-3DES-SHA

crypto map TELEFIN_LAN_map 1 set security-association lifetime seconds 28800

crypto map TELEFIN_LAN_map 1 set security-association lifetime kilobytes 4608000


crypto map TELEFIN_LAN_map interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400


tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *



Anyone have idea of the possible problem?

TIA Enrico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
epasqualotto Wed, 07/22/2009 - 04:57
User Badges:

The ip address of two peers are correct, for physical interface what do you mean? Which check?


Thanks Enrico.

hsbcsydney Wed, 07/22/2009 - 05:16
User Badges:

Try setting the crypto map pfs on the ASA to group2 so that it matches the router.


crypto map TELEFIN_LAN_map 1 set pfs group2

epasqualotto Thu, 07/23/2009 - 23:16
User Badges:

On the 857 router:


access-list 100 permit ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255

access-list 100 permit ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255

access-list 101 permit ip 172.17.0.0 0.0.255.255 any

ip nat inside source route-map SDM_RMAP_1 pool net-ibs overload

route-map SDM_RMAP_1 permit 1

match ip address 101


On ASA


access-list DEV_Plant_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list DEV_Plant_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list OUTSIDE_1_cryptomap extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list OUTSIDE_1_cryptomap extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0



I hope this is all the necessary...

fmjiang1966 Fri, 07/24/2009 - 07:57
User Badges:

Hi,


You missed the following on ASA:

crypto map TELEFIN_LAN_map 1 ipsec-isakmp

####

phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)

########

The dedug message essentially says: phase 2 SA policy not matching, and was not acceptable. After making changes, remove and re-apply crypto map.

Have it a try.


Fuming

epasqualotto Sun, 08/02/2009 - 23:41
User Badges:

If I add the line:

crypto map TELEFIN_LAN_map 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP


ERROR: Unable to initialized crypto map entry

Actions

This Discussion